PoPI Act - opt-in and opt-out compliance from a data value chain perspective: A South African insurance industry experiment

Abstract

Personal information is collected and processed by various companies when individuals buy products and services, share their information on social media or enter their details in competitions and so on. This personal information, which could potentially also be shared with third party companies, is analyzed to tailor services and products to consumer's preferences and online behavior, with the objective of creating a data value chain. When the Protection of Personal Information (PoPI) Act (2013) comes into effect in South Africa, companies will have to comply with the conditions of PoPI and protect individuals' personal information accordingly. Companies will only be allowed to use personal information for the agreed purpose it was collected for and must obtain individuals' consent to share or further process their information. This research sets out to monitor the flow of personal information through an experiment to establish if data value chains are shaped within the South African insurance industry, and to establish whether the consumer's personal information, which is part of the data value chain, is processed in line with certain conditions of PoPI. The experiment highlighted that some of the insurance companies in the selected sample did not comply with the opt-in or opt-out preferences of the researcher. In addition some did not meet with the condition to obtain consent before sharing personal information with third parties for marketing purposes. No formal data value chains could be identified during the time frame of this experiment as it was found that the researcher was contacted randomly about generic marketing and communication offerings.